Merge branch 'develop' into patch-1

Conflicts: system/libraries/Calendar.php
author: Andrew <browner12@gmail.com> 2014-02-11 09:55:48 +0100
committer: Andrew <browner12@gmail.com> 2014-02-11 09:55:48 +0100
commit: b6d8b962e44202a74c9b9321a4a53f61a753fccf (patch)
tree: 2d3c533a55964a0d124f7cd6bb1d3d98c7b84056 /system/core
parent: 41713aaa665189dd0a191c333c73c4a7b9f37c78 (diff)
parent: 29e12641a1bb952f493462db6757ae12c7da1f2c (diff)
3 files changed, 38 insertions, 74 deletions
diff --git a/system/core/Config.php b/system/core/Config.php
index a0e830abe..93c950e2e 100644
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -332,6 +332,7 @@ class CI_Config {
 	/**
 	 * System URL
 	 *
+	 * @deprecated	3.0.0	Encourages insecure practices
 	 * @return	string
 	 */
 	public function system_url()
diff --git a/system/core/Input.php b/system/core/Input.php
index ccb70daec..35ce5f12f 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -152,8 +152,20 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	protected function _fetch_from_array(&$array, $index = '', $xss_clean = NULL)
+	protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL)
 	{
+		// If $index is NULL, it means that the whole $array is requested
+		if ($index === NULL)
+		{
+			$output = array();
+			foreach (array_keys($array) as $key)
+			{
+				$output[$key] = $this->_fetch_from_array($array, $key, $xss_clean);
+			}
+
+			return $output;
+		}
+
 		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
 
 		if (isset($array[$index]))
@@ -202,26 +214,6 @@ class CI_Input {
 	 */
 	public function get($index = NULL, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
-		// Check if a field has been provided
-		if ($index === NULL)
-		{
-			if (empty($_GET))
-			{
-				return array();
-			}
-
-			$get = array();
-
-			// loop through the full _GET array
-			foreach (array_keys($_GET) as $key)
-			{
-				$get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean);
-			}
-			return $get;
-		}
-
 		return $this->_fetch_from_array($_GET, $index, $xss_clean);
 	}
 
@@ -236,26 +228,6 @@ class CI_Input {
 	 */
 	public function post($index = NULL, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
-		// Check if a field has been provided
-		if ($index === NULL)
-		{
-			if (empty($_POST))
-			{
-				return array();
-			}
-
-			$post = array();
-
-			// Loop through the full _POST array and return it
-			foreach (array_keys($_POST) as $key)
-			{
-				$post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean);
-			}
-			return $post;
-		}
-
 		return $this->_fetch_from_array($_POST, $index, $xss_clean);
 	}
 
@@ -268,10 +240,8 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function post_get($index = '', $xss_clean = NULL)
+	public function post_get($index, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		return isset($_POST[$index])
 			? $this->post($index, $xss_clean)
 			: $this->get($index, $xss_clean);
@@ -286,10 +256,8 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function get_post($index = '', $xss_clean = NULL)
+	public function get_post($index, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		return isset($_GET[$index])
 			? $this->get($index, $xss_clean)
 			: $this->post($index, $xss_clean);
@@ -304,10 +272,8 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function cookie($index = '', $xss_clean = NULL)
+	public function cookie($index = NULL, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
 	}
 
@@ -320,10 +286,8 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function server($index = '', $xss_clean = NULL)
+	public function server($index, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
 	}
 
@@ -338,23 +302,14 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function input_stream($index = '', $xss_clean = NULL)
+	public function input_stream($index = NULL, $xss_clean = NULL)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		// The input stream can only be read once, so we'll need to check
 		// if we have already done that first.
-		if (is_array($this->_input_stream))
-		{
-			return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean);
-		}
-
-		// Parse the input stream in our cache var
-		parse_str(file_get_contents('php://input'), $this->_input_stream);
 		if ( ! is_array($this->_input_stream))
 		{
-			$this->_input_stream = array();
-			return NULL;
+			parse_str(file_get_contents('php://input'), $this->_input_stream);
+			is_array($this->_input_stream) OR $this->_input_stream = array();
 		}
 
 		return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean);
diff --git a/system/core/Security.php b/system/core/Security.php
index cbff38b30..beb7f56e0 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -147,6 +147,9 @@ class CI_Security {
 		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
+		'wscript\s*:', // IE
+		'jscript\s*:', // IE
+		'vbs\s*:', // IE
 		'Redirect\s+30\d',
 		"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
 	);
@@ -356,7 +359,11 @@ class CI_Security {
 		 *
 		 * Note: Use rawurldecode() so it does not remove plus signs
 		 */
-		$str = rawurldecode($str);
+		do
+		{
+			$str = rawurldecode($str);
+		}
+		while (preg_match('/%[0-9a-f]{2,}/i', $str));
 
 		/*
 		 * Convert character entities to ASCII
@@ -415,8 +422,9 @@ class CI_Security {
 		 * These words are compacted back to their correct state.
 		 */
 		$words = array(
-			'javascript', 'expression', 'vbscript', 'script', 'base64',
-			'applet', 'alert', 'document', 'write', 'cookie', 'window'
+			'javascript', 'expression', 'vbscript', 'jscript', 'wscript',
+			'vbs', 'script', 'base64', 'applet', 'alert', 'document',
+			'write', 'cookie', 'window', 'confirm', 'prompt'
 		);
 
 		foreach ($words as $word)
@@ -446,12 +454,12 @@ class CI_Security {
 
 			if (preg_match('/<a/i', $str))
 			{
-				$str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+				$str = preg_replace_callback('#<a[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
 			}
 
 			if (preg_match('/<img/i', $str))
 			{
-				$str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
+				$str = preg_replace_callback('#<img[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
 			}
 
 			if (preg_match('/script|xss/i', $str))
@@ -475,7 +483,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
+		$naughty = 'alert|prompt|confirm|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
@@ -490,7 +498,7 @@ class CI_Security {
 		 * For example:	eval('some code')
 		 * Becomes:	eval&#40;'some code'&#41;
 		 */
-		$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
+		$str = preg_replace('#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
 					'\\1\\2&#40;\\3&#41;',
 					$str);
 
@@ -745,7 +753,7 @@ class CI_Security {
 	protected function _js_link_removal($match)
 	{
 		return str_replace($match[1],
-					preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
+					preg_replace('#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
 							'',
 							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
 					),
@@ -770,7 +778,7 @@ class CI_Security {
 	protected function _js_img_removal($match)
 	{
 		return str_replace($match[1],
-					preg_replace('#src=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+					preg_replace('#src=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
 							'',
 							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
 					),
author	Andrew <browner12@gmail.com>	2014-02-11 09:55:48 +0100
committer	Andrew <browner12@gmail.com>	2014-02-11 09:55:48 +0100
commit	b6d8b962e44202a74c9b9321a4a53f61a753fccf (patch)
tree	2d3c533a55964a0d124f7cd6bb1d3d98c7b84056 /system/core
parent	41713aaa665189dd0a191c333c73c4a7b9f37c78 (diff)
parent	29e12641a1bb952f493462db6757ae12c7da1f2c (diff)